Most businesses that have made the move towards an online presence have experienced some kind of security threat to their business. Since the Internet is a public system in which every transaction can be tracked, logged, monitored and stored in many locations, it is important for businesses to understand possible security threats to their business.
Security has three main concepts: confidentiality, integrity, and availability. Confidentiality allows only authorized parties to read protected information. Integrity ensures data remains as is from the sender to the receiver. Availability ensures you have access and are authorized to resources.
There are many threats to e-commerce that may come from sources within an organization or individual. The followings are some of the potential security threats that can be found.
(a) Tricking the shopper - It is one of the easiest and most profitable attacks, also known as social engineering techniques. These attacks involve surveillance of the shopper’s behavior, gathering information to use against the shopper.
(b)Snooping the shopper's computer - Most users’ knowledge of security vulnerabilities of their systems is vague at best. Additionally, software and hardware vendors, in their quest to ensure that their products are easy to install, will ship products with security features disabled. In most cases, enabling security features requires a non-technical user to read manuals written for the technologist. The confused user does not attempt to enable the security features. This creates a treasure trove for attackers.
(c)Sniffing the network - Here, the attacker monitors the data between the shopper’s computer and the server. He collects data about the shopper or steals personal information, such as credit card numbers.
(d)Using known server bugs - The attacker analyzes the site to find what types of software are used on the site. He then proceeds to find what patches were issued for the software. Additionally, he searches on how to exploit a system without the patch. He proceeds to try each of the exploits. The sophisticated attacker finds a weakness in a similar type of software, and tries to use that to exploit the system. This is a simple, but effective attack.
The example of current threat of online security are as follow:
(a) Automated SQL Injection Attacks: Over the past few months, IBM X-Force has seen an escalation of SQL injection and other web-related attacks. In the past few weeks, these attacks have culminated into automated SQL injection attacks that, in some cases, have systematically defaced websites.
(b)Active Exploitation - Adobe Flash Player RCE: Several reports have stated that a zero-day Flash vulnerability is being exploited through several Chinese hacker websites. All of the samples X-Force has seen target the vulnerability disclosed in this Advisory, and X-Force has confirmed that the IPS protection released in November of 2007 does block these samples that are circulating in the wild.